New Framework Defines Cyber Security Workforce Needs

Both the federal government and its contractors are locked in a battle for talent with commercial providers, each vying for the best personnel in critical areas of cybersecurity, and each dealing with a shortage of available talent.

Both would benefit from targeted investment in education and increased standardization to define the skills and knowledge required for different kinds of jobs – and now the National Institute for Standards and Technology (NIST) has taken a big step to help make that happen.

NIST published a framework for the future cybersecurity workforce this week, Special Publication 800-181, the culmination of years of effort under the National Initiative for Cybersecurity Education (NICE).

The framework defines “a common, consistent lexicon to describe cybersecurity work by category, specialty area, and work role,” and details the necessary knowledge, skills and abilities (KSAs) and tasks performed by individuals in each kind of job. The framework defines cyber operations jobs in seven operational categories and 32 job specialties.

The aim is that everyone – employers, educators, trainers and cyber professionals will be able to leverage that common language into a better understanding of the existing workforce and the knowledge gaps that need to be filled.

“Building the future workforce is a priority for all of us,” said Stan Tyliszczak, vice president and chief engineer at General Dynamics Information Technology, a systems integrator in Fairfax, Va. “Government, industry and academia all share in this problem. Having a common language we can use to understand each other will help employers explain their requirements and help educators deliver on those needs.”

It’s been a long time coming. A 2015 report on the cyber workforce – Increasing the Effectiveness of the Federal Role in Cybersecurity Education – concluded the government needed to make a host of changes to assure access to a skilled cyber workforce, said David Wennergren, until recently senior vice president for technology at the Professional Services Council, former assistant deputy chief management officer at the Defense Department and a one-time chief information officer for the Navy. Wennergren led the investigation.

The report examined two government-funded programs – the National Centers of Academic Excellence in Information Assurance/Cyber Defense (CAEs), funded by the National Security Agency (NSA) and the Department of Homeland Security (DHS); and the CyberCorps Scholarship for Service (SFS) program managed by the National Science Foundation (NSF) – and concluded they each needed:

More hands-on education. “We have to get people in the labs actually using tools and demonstrating proficiencies, not just doing text-book type work,” said Wennergren.

The government needs to ensure “we are delivering students who are competent and can to do the jobs without additional training to organizations,” Wennergren said.

Expand programs to include qualified two-year degrees at community colleges. Not all cybersecurity jobs require a four-year degree and military members who have both technical training and practical experience may already have the skills needed to perform critical cyber functions in non-military settings.

The entire federal sector needs cyber skills, not just defense and intelligence agencies. The CAE program should embrace the entire federal sector.

Two bills now working their way through Congress build on some of those concepts, particularly the potential for two-year degrees as a means of lowering barriers to entry to this critical part of the workforce.

The Department of Defense Cyber Scholarship Program Act of 2017, a bipartisan bill co-sponsored by Sen. Mike Rounds (R-S.D.), chairman of the Senate Armed Services’ Committee Subcommittee on Cybersecurity, and Sen. Tim Kaine (D-Va.), seeks to provide $10 million in scholarship funds, at least $500,000 of that to fund two-year degree-level programs.

A second bipartisan measure, the Cyber Scholarship Opportunities Act of 2017, co-sponsored by Kaine, Sen. Roger Wicker (R-Miss.), Sen. Patty Murray (D-Wash.), and Sen. David Perdue (R-Ga.), would amend the Cybersecurity Enhancement Act of 2014 by setting aside at least 5 percent of federal cyber scholarship-for-service funds for two-year degree programs, either for military veterans, students pursuing careers in cybersecurity via associates’ degrees in that discipline or students who already have bachelors’ degrees.

“Clearly both industry and government would benefit from improvements in how cyber is taught in academic institutions [and] how we measure the successful development and placement of students,” he said, adding both will also benefit from the wide adoption of the NICE workforce standards in which government, academia, and the private sector collaborated.

Workforce Shortfall By the Numbers
According to Cyberseek.org, a joint project of NICE, Burning Glass Technologies and CompTIA, there are more than 299,000 cybersecurity job vacancies in the United States today, representing about 28 percent of all U.S. cyber jobs. For some of those jobs, there are as many openings – or more – as there are certified, qualified candidates to fill them – even though such people are almost all employed. For example, there are 69,549 individuals who have earned Certified Information Systems Security Professionals (CISSP) status. But there are 76,336 openings for people with CISSPs.

The most common cyber certification is CompTIA Security+, with more than 167,000 people holding that certification. But there are still more than 33,000 openings for such people, meaning a significant shortage remains.

Rodney Peterson, NIST’s director for NICE, called the cyber workforce the “key enabler” of the future of the nation’s cyber security in a recent interview with Federal News Radio’s Tom Temin.

“We’re clearly building momentum to promote and energize a robust and integrated ecosystem of cybersecurity education, training and workforce development,” he said on Temin’s Federal Drive program. “I think it’s that momentum that both allows us to create a community across both the public and private sector. That NICE workforce framework really provides a common way to think about cybersecurity work, a taxonomy, a reference tool that can really help align our diverse and complex community together toward a common vision.”

Tobias Naegele is the editor in chief of GovTechWorks. He has covered defense, military, and technology issues as an editor and reporter for more than 25 years, most of that time as editor-in-chief at Defense News and Military Times.